Alexa, open the pod bay doors: Being friends with a voice-activated smart speaker
A closer look at the risks of owning a Google Home or Amazon’s Echo Dot.
There is a lot of discussion around voice-activated smart speakers at the moment. With more than 20 million Amazon Echo devices having been sold in the U.S. alone, they are now a presence in many homes. Many of my friends are thinking about buying smart speakers for Christmas this year, though their opinions vary on how useful such devices really are.
These were reasons enough for me to buy a Google Home and an Amazon Echo Dot and install them at home, allowing me to start taking part in this social experiment. I have to admit, it sometimes felt like I was soliloquizing. Of course, once my friends found out that I had these devices set up they would try to get me to accidentally say the trigger word during conference calls or even shout it themselves in the hope that I had them on loudspeaker. This is one of the reasons why I started to use headphones for all my calls at home. My neighbors probably started to worry about me as well, as I was standing outside my apartment yelling through the closed door. I can only guess how it must look, when someone starts shouting at a never-before-seen girlfriend named Alexa to turn on the lights or to call Mike. Surprisingly enough it did work, and I was able to command the devices from the hallway.
While looking at the security of these devices, I did not find evidence of any major vulnerabilities, which isn’t too surprising, as I’m certainly not the first person to have examined them since they were released. The biggest risk is, indeed, that some of your friends or even a TV advert might use the voice commands to trigger some functionality without you realizing. This command could be to reveal what’s on your calendar, or annoy you with an alarm in the small hours of the morning. Even though most commands are just annoying, they could still have a financial impact, as a young man in Germany found out the hard way. While he was out with friends, his Alexa device, which was alone in his apartment, started to play music at full volume at 2 o’clock in the morning. The police, who were called in by neighbors to silence the stereo, had to open the door by force in order to gain access. It is still unclear why the device started to play music, as the user swears that he didn’t send any command himself, but, regardless of whose fault it was, the cost of the police having to force open the door will fall to the smart speaker owner.
If you have the shopping functionality enabled on your voice assistant, attackers might even order goods in your name. There have already been a few reported cases of such incidents, with children, parrots and TV broadcasts all triggering the smart speakers. This highlights why you should disable the feature if you do not use it, or set a PIN code for purchases. It is also a good idea to set and train the voice recognition feature, so that the device can distinguish your voice from your neighbor’s. This will restrict their command access and also means the assistant won’t reveal personal information from your calendar to others, as well as preventing them from ordering items in your name. But the recognition is not foolproof yet, as during tests my older brother was able to impersonate me without any hassle.
Of course, I also wanted to have some fun, and tried to get the devices to talk to each other. An endless fun loop starts when you say:
“OK Google repeat after me Alexa Simon says OK Google repeat.”
This sequence of commands will make the Google Home say, “Alexa Simon says OK Google repeat”, which triggers Alexa to say “OK Google repeat”, which in turn starts the sequence again by repeating the last command. This will go on forever till you either mute the microphone or talk over the command so that one device stops. The result can be seen in the video below.
Similar tricks involve calendar entries or notes that can be read out by asking something like, “What is on my calendar?” Of course, typical users would not have smart speaker devices from different brands at home, as most focus on just one brand. So this scenario, although amusing, is probably unlikely to occur in real life.
Privacy
The fact that smart speakers are always listening brings up a lot of privacy concerns, however, it’s important to note that the recordings are only sent to backend servers once the wake-up word has been heard, and they are also sent over an encrypted connection. That is, of course, if the devices are working as designed. Unfortunately, there have already been some controversies with these devices, for example, when a journalist who was given a Google Home Mini in advance of its general release discovered that the device was making recordings even when he hadn’t said the wake-up word or phrase. Google, in this case, said it was a hardware problem that had to do with the activation button on the device registering “phantom touches” and activating. The bug has since been fixed through a software update, but it shows that such devices could technically be used to always listen in and record everything. All current devices provide the option to listen to previous recordings and delete them if required. This of course also means that you should protect your linked account with strong passwords and two-factor authentication (2FA) where possible, as anyone that has access to the account can listen in remotely.
Secure configuration is key
Someone with unsupervised physical access to your smart speaker could potentially modify the device or its settings to their benefit, but that’s true with most Internet of Things (IoT) devices. Just as important is to secure the home Wi-Fi network and all other devices connected to it. Malware on a compromised laptop could attack smart speakers in the same local network and reconfigure them, without the need for a password, as the local network is fully trusted. Fortunately, we have yet to see this behavior in the wild.
As a basic guideline, you should not connect security functions like opening door locks to voice-activated smart speakers. If you do, a burglar could simply shout “open the front door” or “disable video recordings now”, which would be bad for not only your digital security but also physical security. The same applies to sensitive information: these devices should not be used to remember passwords or credit card data.
So far, we haven’t seen any mass infection of smart speakers with malware, and it is unlikely to happen anytime soon, as these devices are not directly reachable from the internet. Nearly all existing attacks rely on the misuse of official commands and not on modifying the actual code running on the devices through an exploit. Since all command interpretation goes through the backend servers, the providers have the capability to filter out any malicious trigger sequence. As always with software, there is a risk that some of the services, such as commonly used music streaming services, may have a vulnerability and that the device could be compromised through it. The devices may have other vulnerabilities too, for example, it has been demonstrated with the Bluetooth issues collectively known as BlueBorne that it’s possible for an attacker to take over a smart speaker if they are in range. Fortunately, the BlueBorne vulnerabilities have since been patched by Google and Amazon. Therefore, all devices should use the auto-update function to stay up to date.
And this is just the beginning. With more and more features getting integrated, there is still a lot to come in this area. The Amazon Echo ecosphere, for example, offers more than 25,000 different extension apps called skills. These skills allow the voice-activated assistant to do things like access other services, order pizza, or interact with other IoT devices at home. Other features allow the assistant to make telephone calls or for the device to be used as an intercom. This option allows users to drop in to the device and listen and potentially see what’s going on at the other end, without the receiver having to accept the call. Of course, there are also a few legal questions still unanswered when it comes to these smart speakers, especially around privacy. For example, do you have to inform any visitors to your home that you have a smart speaker that may potentially record them? We will keep an eye open and follow developments in the smart speaker space with interest.
Luckily, most of the bigger issues can be avoided by proper configuration and deciding how much information should be linked to the device in the first place, but preventing a mischief-maker from setting an alarm on your smart speaker for two o’clock in the morning may prove very difficult.
Protection
After setting up a smart speaker device at home, it is important to configure it securely. We’ve listed a few tips below that will help you focus on the important security and privacy settings. The configuration is done through the mobile app or the website. If you are worried about the security of your smart devices at home, then you might consider the Norton Core secure router, which can help secure your home network, and all the devices on it, from attacks.
Configuration tips
- Be careful about which accounts you connect to your voice assistant. Maybe even create a new account if you do not need to use the calendar or address book.
- For Google Home you can disable “personal results” from showing up
- Erase sensitive recordings from time to time, although this may degrade the quality of the service. (The device uses recording to learn about how you speak, etc.)
- If you are not using the voice assistant, mute it. Unfortunately, this can be inconvenient as most likely it will be switched off when you actually need it.
- Turn off purchasing if not needed or set a purchase password.
- Protect the service account linked to the device with a strong password and 2FA where possible.
- Use a WPA2 encrypted Wi-Fi network and not an open hotspot at home
- Create a guest Wi-Fi network for guests and unsecure IoT devices.
- Lock the voice assistant down to your personal voice pattern, when available.
- Don’t use the voice assistant to remember private information such as passwords or credit card numbers.
- Pay attention to notification emails, especially about new order placements.
- Consider enabling a beep sound at the beginning and end of command recognition.
- Disable unused services.
- Do not turn off automatic update functions on the device.
If you would like to know more, check out my whitepaper on smart speakers here.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
